RE: Open Ports

  • From: "Chris Bond" <chris@xxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 1 Sep 2001 10:05:17 +0100

Cheers its set my mind at ease - just find it werid it not meantioned
anywhere. I think it'd be another good addition to isaserver.org!

> -----Original Message-----
> From: Hugo Caye [mailto:Hugo@xxxxxxxxxxxxx]
> Sent: 31 August 2001 8:47
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Open Ports
> 
> http://www.ISAserver.org
> 
> 
> 
> If you can "stealth" ports not advertising that they're "closed for
> business" in any TCP/IP host, configure it not sending ICMP
Unreachable.
> In a Cisco router, in the interface level use the "no ip unreachables"
> command.
> 
> In ISA, just disable the packet filter called "ICMP unreachable in"
that's
> enable by default. Please note that this preconfigured packet filter
> disables all type 3 codes, and to stealth ports only code 3 (port
> unreachable) is enough.
> 
> ICMP Type=3 Destination Unreachable, Code=3 Port Unreachable (RFC792).
> 
> 
> -----Original Message-----
> From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
> Sent: sexta-feira, 31 de agosto de 2001 10:25
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Open Ports
> 
> 
> http://www.ISAserver.org
> 
> 
> According to the TCP/IP spec, every port should respond with one of
two
> options:
> 1: "Here I am, what can I do for you?"
> 2: "Sorry, closed for business."
> 
> Paranoid Internet security types have added a third to the mix:
> 3: "..."
> which Steve Gibson so charmingly refers to as 'stealthed' ports.
> 
> In other words, you should get a response on every port, but shouldn't
> be able to open a connection that you haven't allowed.
> 
> Now, also, bear in mind that what you're doing is NAT.  In other
words,
> if you were to throw your firewall wide open, people still wouldn't be
> able to access anything that wasn't explicitly running on your ISA
box,
> but is running behind your ISA box, unless you set up specific
> publishing rules.  With a forwarding firewall, you'd be thinking
> differently.
> 
> -----Original Message-----
> From: Chris Bond [mailto:chris@xxxxxxxxxxxx]
> Sent: Friday, August 31, 2001 7:27 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Open Ports
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi,
> 
> Just ran a port scan on the external interface of ISA and get the
> following
> results:
> 
> 25 smtp
> 53 domain
> 88 kerberos
> 110 pop3
> 135 epmap
> 139 netbios-ssn
> 143 imap
> 389 ldap
> 443 https
> 445 microsoft-ds
> 464 kpasswd
> 636 ldaps
> 1723 pptp
> 
> Plus a few others
> 
> Luckly at the moment the cisco router has an ACL on that only allows
25
> through.  What is the correct solution to stop it listening for these
> requests on the external interface (apart from port 25 ofcourse).
> Although
> it does seem to say "* BYE Connection refused" and drop the packets, I
> just
> find it werid that it has the ports are open in the first place?
> 
> Anybody got any ideas?
> 
> Kind Regards,
> Chris Bond
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> slebrun@xxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> Hugo@xxxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
> 
> 
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> chris@xxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')



Other related posts: